fix: Member Information Disclosure via Public Endpoint #8646

apps/api/plane/space/views/project.py

@@ -63,6 +63,11 @@ class ProjectMembersEndpoint(BaseAPIView):
 
     def get(self, request, anchor):
         deploy_board = DeployBoard.objects.filter(anchor=anchor).first()
+        if not deploy_board:
+            return Response(
+                {"error": "Invalid anchor"},
+                status=status.HTTP_404_NOT_FOUND,
+            )
 
         members = ProjectMember.objects.filter(
             project=deploy_board.project,
@@ -71,10 +76,7 @@ class ProjectMembersEndpoint(BaseAPIView):
         ).values(
             "id",
             "member",
-            "member__first_name",
-            "member__last_name",
             "member__display_name",
-            "project",
+            "member__avatar",
-            "workspace",
         )
         return Response(members, status=status.HTTP_200_OK)

apps/space/core/types/member.d.ts

@@ -1,10 +1,6 @@
 export type TPublicMember = {
   id: string;
   member: string;
-  member__avatar: string;
-  member__first_name: string;
-  member__last_name: string;
   member__display_name: string;
-  project: string;
+  member__avatar: string;
-  workspace: string;
 };

packages/types/src/users.ts

@@ -196,12 +196,8 @@ export type TProfileViews = "assigned" | "created" | "subscribed";
 export type TPublicMember = {
   id: string;
   member: string;
-  member__avatar: string;
-  member__first_name: string;
-  member__last_name: string;
   member__display_name: string;
-  project: string;
+  member__avatar: string;
-  workspace: string;
 };
 
 // export interface ICurrentUser {